GRC Tuesdays: Business Continuity – It’s Not Just About Insurance, It’s About Assurance
I was discussing with a Chief Risk Officer recently about continuity of business in case of a crisis and his reaction surprised me. When asking what processes and procedures were in place, his reply was — “We have full insurance coverage. That’s plenty enough.”
I’m sorry, but I beg to differ. To me, this is far from being sufficient. Insurance will indeed cover some of the losses incurred, but will insurance help you protect your reputation and what your customers think about you? Will it protect your employees in case of a major incident on a remote premise?
As you can imagine, my personal answers to all of this is no.
Of course you do need insurance, as this will be one of the risk transfer approaches for those risks that you can’t completely mitigate, but I believe that business continuity plans, crisis and emergency responses, and associated processes are paramount in protecting a business.
It’s not just about insurance, it’s about assurance that your business is here for the long term.
Integrate Business Continuity in Your Regular GRC Process
As I frequently mention in these blogs, business context change all the time. As a result, I often recommend to review regularly the risks and their current levels. This also applies to all the risk mitigation measures: action plans in progress, preventative controls, and so on. And of course policies including the business continuity plans.
There’s nothing worse than discovering when you’re in the middle of a crisis that your continuity plan doesn’t cater for the major consequences of a risk. Let’s take the example of civil unrest close to one of your remote facilities. If your plan is to evacuate your employees to another location, but you don’t know that this new location is now also in the unrest area, then you’re endangering your employees simply by triggering the very plan that is supposed to protect them.
Test Your Continuity Plans, but Also Audit Them
Testing continuity plans is actually the only veritable way of ensuring that they will work as designed in case of a crisis.
Nevertheless, as for any process, it can continuously be improved. I’m a strong advocate of internal audit reviewing the plans during their audits. This way, not only will they be able to validate the adequacy of a plan, but also, since they review different business units, they might be able to suggest improvements to make the plan even more efficient.
Quite some time ago now, an auditor shared with me one of his experiences. When reviewing the continuity process of a company, they noticed that the IT continuity plans and the personnel plans weren’t coordinated. As a result, the backup site for the employees wasn’t the same as the one defined by IT. In theory, they had a complete end-to-end business continuity process, it’s just that it couldn’t work in reality. And that was only discovered when audit reviewed all the plans together.
Benchmark It against Best Practices
Business continuity is a well-established practice and its members are part of structured professional organizations. Sharing your plans with other peers in the same area or industry can only be profitable for all. For you, first of all, as you will be able to get first hand feedback from others sharing the same concerns, but also for others, as they might be able to enhance their own processes based on your expertise.
To me, business continuity is not a lonely exercise. Business continuity leaders need to pull in experts from the entire company to design an efficient plan and to do so they can rely on their risk management and internal control colleagues. But also on their internal auditors that can act as true business advisors. Finally, I would strongly suggest engaging with the business continuity community. Yes, business continuity can be a competitive advantage, but when business viability is at stake, the more assurance you get, the more prepared you can be.
Would you agree with this analysis? Who else would you engage in this process?
I look forward to reading your thoughts and comments either on this blog or on Twitter (@TFrenehard)!
Excellent article. I really appreciated it.
How SAP GRC solutions may help a customer to address its business continuity management requirements?
Thanks and regards,
First of all, thank you for your kind note.
To effectively implement and automate a sound business continuity process, I would indeed say that SAP GRC has some of the critical components – notably to understand rapidly what processes and business areas are at risk and why – but that you also then of course need a good business continuity planning tool.
As a matter of fact, this is why we at SAP have decided to partner with Sungard Availability Services (AS) to enable customers to take advantage of world class solutions for Governance, Risk and Compliance with SAP and of Business Continuity Solutions with Sungard AS.
Indeed, this way we can help drive value by reducing customers’ effort to run ISO22301 compliant processes and enable preventive approach with identification of risk events and their impacts and faster recovery of enterprises in the case of major disasters and disruptions.
Instead of choosing a Business Continuity solution with limited risk, control and audit management capabilities or inversely, a GRC platform with limited continuity planning capabilities to their solution, our intent is to provide customers with 2 expert solutions in each domain that they can then fully leverage to protect their organizations.
In summary, to me Business Continuity is a true example of an integrated approach that is at the cross-roads of many functions including the following:
* SAP Risk management: since business continuity leverages the critical risks identified that would prevent the company’s objectives from being attained and on which continuity plans can be true mitigation measures, not preventing the risk from occurring that is, but reducing its impact in time and damage caused should an incident occur;
* SAP Process Control: since sections of the Business Impact Analysis will derive from the process map and its associated control level;
* SAP Audit Management: since auditors will be key in reviewing the business continuity plans, sometimes even testing them, and potentially issuing some improvement recommendations;
* Sungard Availability Services AssuranceCM: since customers need one central repository for continuity plans in an environment where they can easily maintain these plans with collaborative tools, surveys and reporting capabilities.
Using all the solutions above, you can not only design a continuity plan that truly addresses the root causes of the most critical risks, but you can also continuously keep an eye on your processes to ensure that they perform as intended and ensure that any issue is detected soon so that you can then trigger your continuity process in case and only when it is needed.
I hope this answers your question.
So if I understand correctly (in plain language): SAP GRC has a business continuity "module"/add-on that integrates Sungard Assurance CM.
Therefore, it would be more than simply preparing risk-based plans; it allows the organization to respond to incidents via the SAP GRC tool-set.
Thank you for your kind feedback and your question.
You are correct: at this stage, we are working on the integration points between SAP GRC and Sungard AS AssuranceCM. Our intent is to synchronise master data and also enable the coverage of risks in SAP GRC by continuity plans documented and managed in Sungard AS AssuanceCM.
Concerning incident management and their response, since Sungard AS already has a dedicated module, we have not yet prioritized the integration between the 2 solutions on this topic but you are right, it would be one of our future intents.